FYI - ProfitStars (a division of
Jack Henry & Associates, Inc.) today announced the acquisition of
Texas-based AudioTel Corporation. AudioTel supports more than 1,000
financial institutions with back-office and retail banking
FYI - Bajinder Paul
Named Chief Information Officer at the OCC - Comptroller of the
Currency John C. Dugan announced today that he has named Bajinder
Paul to be the Office of the Comptroller of the Currency's next
Chief Information Officer.
FYI - Connecticut Sues
Consultant, Accenture, Over Lost Data - The state is suing for
illegal negligence and breach of contract, but Accenture says the
matter was a mistake based on human error. The State of Connecticut
is suing its own computer consultant, Accenture, for losing
personally identifying information on 58 residents and hundreds of
state bank accounts and purchasing cards.
FYI - Lawmaker seeks
probe of possible cyberattacks at DHS - A top homeland security
lawmaker has called for an investigation into possible cyber attacks
on computer systems at the Homeland Security Department.
FYI - Confidential data
on hard drives turning up - Sensitive information retrieved included
salary details, financial data of specific companies and credit card
numbers - Hard drives full of confidential data are still turning up
on the second-hand market, researchers have reported.
FYI - Fewer Companies
Suffer Security Breaches, But They're Much More Severe - A CompTIA
study also showed that one in four companies surveyed indicated that
they have had an insider security breach or threat in the last year.
FYI - GAO - Veterans
Affairs: Sustained Management Commitment and Oversight Are Essential
to Completing Information Technology Realignment and Strengthening
FYI - Hackers steal
server log-ins from hosting vendor - Layered Technologies' database
breached, 6,000 customers' servers compromised - Server hosting
vendor Layered Technologies Inc. admitted this week that hackers
broke into its support database and made off with as many as 6,000
client records, including log-in information that could give
criminals access to clients' servers.
FYI - Sensitive patient
data stolen from nursing building - 'U' stresses timely reporting of
theft - Since 8,585 tapes were stolen from the School of Nursing two
weeks ago - the third data theft in the last year - University
officials are stressing the importance of protecting against data
FYI - Security team hit
by electronic smear campaign - A team of volunteers formed to help
combat cybercrime has been subjected to an attack which has
attempted to undermine its reputation.
FYI - ABN Amro customer
deets tip up on BearShare - Social security numbers and other
sensitive information belonging to more than 5,000 customers of ABN
Amro Mortgage Group have been leaked onto the BearShare file-sharing
network by a former employee, according to news reports.
FYI - Laptop with child
welfare information stolen - Officials with the state's child
welfare agency say a laptop computer with private information on 41
cases has been stolen. The laptop computer with personal information
about state Department of Children and Families clients in Northwest
Connecticut was stolen from a car.
FYI - June Ohio data
breach affects Minnesota county employees - Add 562 current or
former employees of Ramsey County, Minn., to the list of victims of
the June data breach that affected 1.3 million Ohio residents and
hundreds of Connecticut state bank accounts.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 9 of 10)
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
Customer Service Complaints
Financial institutions should have plans to respond to customer
complaints, including those regarding the appropriateness or quality
of content, services, or products provided or the privacy and
security policies of the third-party site. The plan also should
address how the financial institution will address complaints
regarding any failures of linked third parties to provide agreed
upon products or services.
Monitoring Weblinking Relationships
The financial institution should consider monitoring the
activities of linked third parties as a part of its risk management
strategy. Monitoring policies and procedures should include periodic
content review and testing to ensure that links function properly,
and to verify that the levels of services provided by third parties
are in accordance with contracts and agreements. Website
content is dynamic, and third parties may change the presentation or
content of a website in a way that results in risk to the financial
institution's reputation. Periodic review and testing will reduce
this risk exposure. The frequency of review should be commensurate
with the degree of risk presented by the linked site.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue the series
from the FDIC "Security Risks Associated with the
Utilization of the Internet presents numerous issues and risks which
must be addressed. While many aspects of system performance will
present additional challenges to the bank, some will be beyond the
bank's control. The reliability of the Internet continues to
improve, but situations including delayed or misdirected
transmissions and operating problems involving Internet Service
Providers (ISPs) could also have an effect on related aspects of the
The risks will not remain static. As technologies evolve, security
controls will improve; however, so will the tools and methods used
by others to compromise data and systems. Comprehensive security
controls must not only be implemented, but also updated to guard
against current and emerging threats. Security controls that address
the risks will be presented over the next few weeks.
The FDIC paper discusses the primary interrelated technologies,
standards, and controls that presently exist to manage the risks of
data privacy and confidentiality, data integrity, authentication,
Encryption, Digital Signatures, and Certificate Authorities
Encryption techniques directly address the security issues
surrounding data privacy, confidentiality, and data integrity.
Encryption technology is also employed in digital signature
processes, which address the issues of authentication and non-repudiation.
Certificate authorities and digital certificates are emerging
to address security concerns, particularly in the area of
function of and the need for encryption, digital signatures,
certificate authorities, and digital certificates differ depending
on the particular security issues presented by the bank's
technologies, implementation standards, and the necessary legal
infrastructure continue to evolve to address the security needs
posed by the Internet and electronic commerce.
the top of the newsletter
IT SECURITY QUESTION:
Internal controls and procedures: (Part 1 of 2)
a. Are output reports satisfactory for employees to perform their
b. Are output reports satisfactory for management?
c. Are output reports satisfactory for auditing purposes?
d. Are there satisfactory user procedures?
e. Is there separation of duties for input preparation and
f. Is there separation of duties for data entry?
g. Is there separation of duties for operation of the computer
h. Is there separation of duties for handling rejected items for
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties only under Sections 14 and/or 15.
Note: This module applies only to customers.
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with
nonaffiliated third parties and obtain a sample of data shared
between the institution and the third party.
a. Compare the data shared and with whom the data were shared
to ensure that the institution accurately states its information
sharing practices and is not sharing nonpublic personal information
outside the exceptions.
B. Presentation, Content, and Delivery of Privacy Notices
1) Obtain and review the financial institution's initial and
annual notices, as well as any simplified notice that the
institution may use. Note that the institution may only use the
simplified notice when it does not also share nonpublic personal
information with affiliates outside of Section 14 and 15 exceptions.
Determine whether or not these notices:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1)). Note, this includes practices
disclosed in the notices that exceed regulatory requirements; and
c. Include, and adequately describe, all required items of
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written customer records where available, determine if the
institution has adequate procedures in place to provide notices to
customers, as appropriate. Assess the following:
a) Timeliness of delivery (§§4(a), 4(d), 4(e), 5(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the customer agrees; or as a necessary step
of a transaction) (§9) and accessibility of or ability to retain
the notice (§9(e)).